V-Tokens for Conditional Pseudonymity in VANETs - University of ...

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the WCNC 2010 proceedings.

V -tokens for Conditional Pseudonymity in VANETs ∗

†

Florian Schaub∗ , Frank Kargl† , Zhendong Ma∗ , and Michael Weber∗

Institute of Media Informatics, Ulm University, Germany, [email protected] Distributed and Embedded Security, University of Twente, The Netherlands, [email protected]

Abstract—Privacy is an important requirement in vehicle networks, because vehicles broadcast detailed location information. Also of importance is accountability due to safety critical applications. Conditional pseudonymity, i.e., usage of resolvable pseudonyms, is a common approach to address both. Often, resolvability of pseudonyms is achieved by authorities maintaining pseudonym-identity mappings. However, these mappings are privacy sensitive and require strong protection to prevent abuse or leakage. We present a new approach that does not rely on pseudonym-identity mappings to be stored by any party. Resolution information is directly embedded in pseudonyms and can only be accessed when multiple authorities cooperate. Our privacy-preserving pseudonym issuance protocol ensures that pseudonyms contain valid resolution information but prevents issuing authorities from creating pseudonym-identity mappings.

I. I NTRODUCTION In inter-vehicular networks, also known as VANETs, wireless communication between vehicles facilitates cooperative applications enhancing road safety, traffic efficiency, and driving convenience. Collision avoidance, real-time traffic information, lane merge assistance, and accident warnings are some of the envisioned applications. It is generally agreed that security and privacy are mandatory requirements for the deployment of VANETs. As a practical security approach, the management of vehicle IDs and authentication by digital signatures and public key certificates is proposed by research projects [1] and standardization efforts [2]. Privacy issues arise from frequent dissemination of beacon messages that contain detailed vehicle-related information (e.g., position, speed, heading), which can be abused for tracking and profiling of individuals. However, solving it is a challenging task because privacy approaches for VANETs are constrained by network characteristics and security requirements [3]. One often proposed solution are frequently changing pseudonyms [1]. Here, a pseudonym is a public key certificate which does not contain information linking it to a vehicle, driver, or other pseudonyms. But accountability may be desired to evict misbehaving nodes or assign liability after fatal accidents. So some authorities must be able to resolve pseudonyms to vehicle identities in certain situations. Therefore, only conditional pseudonymity should be provided in VANETs. The pseudonym lifecycle consists of several phases: During pseudonym issuance, a vehicle obtains pseudonyms from a certificate authority (CA). In the process, the vehicle needs to authenticate and resolution information needs to be created. Pseudonym usage is a vehicle’s use of pseudonyms to authenticate messages in communication with other vehicles and infrastructure nodes. If required, some authorities may

perform identity resolution to trace a pseudonym back to an identity by using information retained in the first step. Revocation is an optional step, in which a vehicle’s identity and pseudonyms can be revoked to exclude it from participating in the network. To mitigate scalability issues, a vehicle can be revoked passively, i.e., only its identity is revoked while the vehicle can still participate in the network until its current pseudonyms expire, but it cannot acquire new pseudonyms. Conditional pseudonymity provides privacy for vehicles and also accountability. However, vehicles have to trust pseudonym issuing authorities to store and manage resolution information securely and responsibly. If resolution information leaks or becomes openly available, the privacy protection provided by pseudonyms is undermined. We propose to reconsider the common assumption that authorities can be fully trusted with managing information that could render privacy mechanisms ineffective. Instead, authorities should follow the principles of minimum disclosure and separation of concerns. Only entities responsible for identity resolution should be able to access resolution information while other entities, like pseudonym issuance authorities, should neither store nor have access to it. This raises several questions in the VANET context: How can accountability be achieved without entrusting pseudonym issuing authorities with resolution information? How can it be ensured that resolution information can only be used in legitimate situations by a specific authorities? And to what extend should linking information be released then? In this work, we propose a new approach for conditional pseudonymity in VANETs that addresses these questions. Our approach achieves accountability without requiring authorities to store resolution information and prevents them from keeping it. As a result, drivers have to place less trust in authorities. The scheme also benefits authorities by helping them comply with privacy regulations and reducing the amount of sensitive information to be managed. Further, we enforce the cooperation of several authorities for pseudonym-identity resolution to ensure multiple parties agreeing on necessity for resolution. The resolution protocol also provides perfect forward privacy [3], i.e., only linking information for the current pseudonym is made available while other pseudonyms and messages of that user remain unlinkable. Next, we discuss related work (Sec. II) and the system model (Sec. III), before presenting and analyzing our approach (Sec. IV, V). II. R ELATED W ORK Privacy and pseudonymity have been discussed in many research projects like PRIME and there are resulting frame-

978-1-4244-6398-5/10/$26.00 ©2010 IEEE Authorized licensed use limited to: UNIVERSITEIT TWENTE. Downloaded on July 22,2010 at 09:05:11 UTC from IEEE Xplore. Restrictions apply.


works like Idemix1 . However, they are focusing mainly on Internet-like scenarios that are very different from the VANET scenarios we are considering herein. Privacy protection is generally considered mandatory for successful VANET deployment. Most approaches are based on pseudonyms with identity resolution as proposed by major research projects like SeVeCom2 or PREDRIVE-C2X3 and standardization efforts, e.g., carried out by ETSI TC ITS WG5. We conclude that pseudonym-based solutions are considered the most practical and promising privacy protection mechanisms in VANETs and focus on them in our work. In [3], we analyze the specifics of VANETs and what requirements this creates for privacy solutions. We also carry out a broad review of current proposals in the light of those requirements. While basic schemes work as described in the introduction, more advanced schemes try to reduce the created overhead, e.g., with self-signed certificates [4]. Self-signed certificates create a Sybil attack problem as one cannot limit the amount of pseudonyms a vehicle controls. A recent approach tries to contain this problem [5]. [6] proposes a scheme that enforces collaborative identity resolution. However, resolution authorities need to participate in pseudonym issuance which is not desirable. Ideally, we would prefer a strict separation of concerns so that each entity in our system model has a clear task and can be implemented independently of other functionality.

Authentication phase: V −→ CAh V ←− CAh V V V −→ CAh V ←− CAh V −→ CAh CAh CAh V ←− CAh V

: (idV , req, σV (req))

(1)

: (id, P KRA , idCAh , exp, n) : Vi = EP KRA (id ri ) : Ci = (mi )bi = (Vi exp idCAh )bi : (C1 , . . . , Cn ) : I −1 : bi , ri | i ∈ I

(2) (3)

: (Ci )

(8)

b−1 i

bi b−1 i

= (mi )

= mi

(4) (5) (6) (7)

?

: mi = (EP KRA (id ri ) exp idCA )(9) : {σCAh (Cj ) | j ∈ / I} (10) b−1

: (σCAh (Cj )) j = σCAh (mj ) = σCAh (Vj exp idCAh )

(11)

Acquisition phase: ∗

V −→ P P

: EP KP P (Vi , exp, idCAh , (12) σCAh (Vi exp idCAh ), P KPi , σPi (◦))

PP

: Pi = (P KPi , Vi , expPi , idP P ; σP P (◦))(13)

∗

V ←− P P

: Pi Fig. 1.

(14) Pseudonym issuance protocol.

III. S YSTEM M ODEL Our system model is based on the SeVeCom system model [1]. A vehicle V is identifiable by a unique long-term identifier idV , e.g., an identity certificate and the corresponding key pair. V is registered with an authority CAh , its home CA identified by idCAh . CAh manages V ’s virtual identity and issued idV . In practice, a regional vehicle registration authority could take on this role, thus consolidating authority over V ’s virtual identity and physical license plates. V can obtain pseudonyms Pi from pseudonym providers P Pk . Pseudonym providers are independent from CAh so that V can engage with arbitrary P Pk . Before new Pi are issued, V is authenticated and it is verified that V has not been revoked. A pseudonym Pi is a public key certificate for a key pair (P KPi ,SKPi ), containing no information linking Pi to V or any Pj (j = i). When communicating, V signs messages with secret key SKPi of the current pseudonym Pi . The signature and Pi are attached to the message for verification by receivers. The resolution authorities RAl take part in pseudonymidentity resolution. A subset of them has to cooperate in the process. RAl should be independent from authorities involved in the issuance of a pseudonym. IV. E MBEDDING I DENTITIES IN P SEUDONYMS Our approach is based on the idea of embedding resolution information directly in pseudonym certificates rather than 1 PRIME

website: http://www.prime-project.eu/ website: http://www.sevecom.org/ 3 PREDRIVE-C2X website: http://www.pre-drive-c2x.eu/ 2 SeVeCom

having authorities store them. idV , idCAh , and a unique randomization factor r are encrypted with P KRA , the commonly known public key of the resolution authorities. Resulting ciphertexts, we call them V-tokens, are unlinkable. For randomized encryption schemes, like ElGamal, r is implicitly part of the encryption scheme, while r must be explicitly included for deterministic encryption schemes, like RSA. Pseudonyms with embedded V-tokens are issued in a two phase protocol, which ensures that V-token content is valid but prevents issuing authorities from linking pseudonyms to vehicles (see Sec. IV-A). V uses the resulting pseudonym Pi for normal message authentication by signing messages with SKPi and attaching Pi to the message. Receivers verify Pi and the signature. Thus, embedding the V-token in Pi does not affect how Pi is used in communications. If required, pseudonym-identity resolution is performed collaboratively by a minimum number of authorities. They need to jointly decrypt the V-token embedded in a Pi to retrieve the linking information. Sec. IV-B details the resolution protocol. A. Privacy-preserving Pseudonym Issuance The privacy-preserving issuance protocol employs a blind signature scheme to prevent issuing authorities from learning linking information. In the authentication phase, V first obtains blindly signed V-tokens from CAh . Subsequently, Vtokens are used in the acquisition phase to obtain pseudonyms from a pseudonym provider P P . The full protocol is given in Fig. 1 and is detailed in the following.

Authorized licensed use limited to: UNIVERSITEIT TWENTE. Downloaded on July 22,2010 at 09:05:11 UTC from IEEE Xplore. Restrictions apply.


1) Authentication phase: The authentication phase between V and CAh results in one or more V-tokens blindly signed by CAh . The protocol description has been generalized to remain independent from a specific signature scheme. We only assume that a blind signature extension exists for the signing algorithm, as is the case for RSA [7] or EC-ElGamal [8]. An abstract notation is used for blinding operations. (m)b indicates a message m blinded with blinding factor b, and −1 unblinding is represented by ((m)b )b = m with b−1 being the corresponding unblinding factor. Actual blinding and unblinding operations depend on the employed blind signature scheme and may consist of multiple steps. We step through the protocol in the following. In (1) V sends a V-token request req to CAh signed with SKV to prove identity idV . The structure of req depends on the chosen authentication scheme and may entail further message exchange. (2) CAh verifies the signature σV (req) with V ’s public key P KV and checks internally that V has not been revoked. CAh then returns to V the composed identifier id = idCAh idV to be included in the V-token, the public key of the resolution authorities P KRA , idCAh , expiration date exp, and requests n commitments. The expiration date exp is set to a discrete value, e.g., midnight or last day of the week, to prevent linking based on individualized exp. V verifies that id is correct. Then, (3) V creates n Vtokens Vi by choosing a unique random ri that is appended to id, before encrypting it with P KRA . exp and idCAh are appended to each Vi . The expiration date limits the lifetime of a V-token. idCAh is required for verification purposes later in the acquisition phase. (4) V then chooses n random distinct blinding factors bi , with inverse b−1 i . Each mi is blinded, resulting in commitments Ci = (Vi )bi . (5) V sends and ri . C1 , . . . , Cn to CAh , and stores the corresponding b−1 i Now, V is committed to the content encoded in all Ci in the sense that it cannot manipulate or change the content anymore. V has to prove probabilistically to CAh that the encoded content contains id as provided by CAh in (2). As part of the commitment scheme, CAh asks V to reveal the content of some random Ci . For this purpose, (6) CAh randomly chooses h ≥ n/2 commitments Ci and requests the corresponding b−1 i and ri . The selected indices i are organized in the indices and ri , i ∈ I, set I which is sent to V . (7) V sends b−1 i to CAh . Now, CAh can verify the content of Vi by first (8) unblinding the commitments Ci with b−1 i to obtain mi (i ∈ I). Then, (9) CAh computes the corresponding V-token with ri . The result has to be compared to mi . If all unblinded mi are / I) are also correct, the remaining n − h commitments Cj (j ∈ correct except for an exponentially small probability, i.e., the probability that V managed to cheat is negligible. This is due to V not knowing which Ci will be unblinded later when it creates the commitments, and not being able to change them when CAh selects the commitments to be opened. See [9] for a formal analysis of the security of commitment schemes. By adjusting the ratio of h : n, CAh can control the cheating probability in trade-off with required overhead. (10) CAh signs the remaining commitments Cj with its

secret key SKCAh , yielding n − h blind signatures σCAh (Cj ) which are sent to V . In the last step, (11) V unblinds each (j ∈ / I). This σCAh (Cj ) by applying the corresponding b−1 j way, V obtains n−h V-tokens Vj , each encrypted with P KRA and signed by CAh . 2) Acquisition phase: Once in possession of signed Vtokens, V interacts with a pseudonym providers P Pk to obtain a pseudonym Pi for each signed V-token Vi . The signed V-token is used as an anonymous authentication credential. It implicitly certifies that its owner has been authenticated successfully by CAh , identified by idCAh . To ensure the anonymity of V when interacting with P P and to ensure unlinkability between resulting pseudonyms and V , an anonymous communication channel is required between the two ∗ parties (denoted by →). Either V uses a previously issued pseudonym to communicate anonymously or an anonymization mechanism like onion routing [10] can be used. The acquisition phase starts with (12) V generating a new key pair (P KPi , SKPi ) as a pseudonym key pair. Here, the key generator function of the signature scheme for VANET authentication is used. V stores SKPi securely. V sends a pseudonym certification request to P P containing P KPi and a signed V-token Vi (including exp and idCAh ). V signs the request with SKPi to prove its ownership. Hereby, σPi (◦) indicates a signature over a whole message. The request is further encrypted with P KP P . P P decrypts the request and verifies σPi (◦). P P checks the validity of the presented V-token by verifying signature σCAh (. . . ) with CAh ’s well-known public key P KCAh , identified by idCAh . If valid, P P proceeds by checking that Vi has not expired and has not been used before (see Sec. IV-A3). If all checks succeed, (13) P P includes the plain V-token Vi (without σCAh , exp, and idCAh ) in a pseudonym certificate Pi for P KPi . Pi also contains an expiration date expPi and idP P . (14) P P sends Pi to V . V can now use Pi for message authentication. We only showed the acquisition of one pseudonym. V can repeat the acquisition phase for each V-token Vi previously obtained. V can also acquire pseudonyms from different pseudonym providers P P by engaging with multiple P P s in the acquisition phase. This can be advantageous in a region where a specific pseudonym provider is dominant, i.e., it issued the majority of pseudonyms used in that region. While V may usually use pseudonyms of its preferred provider P Pa it can obtain pseudonyms from P Pb to prevent sticking out when travelling through a region dominated by P Pb . In theory, this issue could be avoided by only allowing one pseudonym provider in the system. However, in practical systems it can be expected that several pseudonym providers will exist, e.g., in different countries. 3) Double spending prevention: The issuance protocol enables V to obtain pseudonyms anonymously from different pseudonym providers, but V could present one signed Vtoken Vi to multiple P Pk to obtain more pseudonyms than it has signed V-tokens. Pseudonyms containing the same Vi would be trivially linkable, but by using them at different



spatiotemporal positions linking could be rendered unlikely. Double spending, i.e., multiple use of tokens, is a well-known problem of electronic cash and credential systems [11]. Double spending of V-tokens can be prevented by extending pseudonym provider functionality. Pseudonym providers can operate a distributed V-token clearing house CH in which hash values of used V-tokens are stored. In step (13), P P additionally computes H(Vi ) and queries CH for it. H(Vi ) is rejected if it is already in CH and added to it otherwise. Optionally, exp could be stored with H(Vi ) to enable automated deletion of expired entries. Storing only hash values in CH instead of actual V-tokens reduces storage size and ensures that CH does not contain any (encrypted) linking information. CH could be realized as a distributed hash table (DHT) to provide scalable lookups. B. Collaborative Identity Resolution While identity resolution is part of conditional pseudonymity to prevent misuse and abuse of a system, it also exposes users to potential privacy infringement. Therefore, the information required for identity resolution needs to be protected properly, so that it is only available to some authorities in very specific situations. Separation of duties is a common principle to prevent intentional or unintentional misuse of information or processes. We apply separation of duties to the protection of identity resolution information. For this purpose, we distribute the ability to perform identity resolution between a number of authorities and enforce their collaboration to perform identity resolution with a threshold encryption scheme. In our system, identity resolution corresponds to the decryption of a V-token Vi embedded in a pseudonym Pi to obtain idV that links Pi to vehicle V . The secret key of the resolution authorities SKRA is split among n resolution authorities, so that each holds only a share of SKRA . Cooperation of a subset of k of n RAs is required to decrypt a V-token, which has been encrypted with P KRA . For protocol description, we assume three resolution authorities: a law enforcement agency L, a judge or juridical institution J, and a data protection agency DP . L wants to identify the sender of a message with pseudonym Pi , J decides if evidence provided by L is sufficient to justify identity resolution, and DP surveys privacy breaches. We will discuss later how the protocol can be extended for more complex scenarios. It is assumed that a common public key P KRA has been published and that the secret key SKRA has been L J DP , SKRA , and SKRA . We use a divided into three shares SKRA (3, 3)-threshold scheme, i.e., all three shares need to be applied to successfully decrypt a V-token Vi = EP KRA (id ri ). The use of secret sharing homomorphisms [12] and a homomorphic encryption scheme, e.g., ElGamal [13], enable homomorphic threshold decryption that prevents SKRA or its shares from being disclosed in the decryption process. Each party applies its secret share to Vi , and only when the k-th entity applies its secret share, EP K (m) is decrypted. The input for identity resolution is a pseudonym certificate Pi containing a V-token Vi , for which L is convinced that

(1) : (Vi , Ei ) J (Vi ) (2) : ViJ = DSKRA J (3) L ←− J : Vi , σJ (Ei ) L −→ DP : ViJ , Ei , σJ (Ei ) (4) J DP Vi (5) DP : ViJ,DP = DSKRA L ←− DP : ViJ,DP (6) L L : ViJ,DP,L = DSKRA ViJ,DP (7) L DP J = DSKRA DSKRA DSKRA (Vi ) L −→ J J

= DSKRA (EP KRA (id)) = id = idCAh idV L −→ CAh L ←− CAh Fig. 2.

:

(id)

(8)

:

info V

(9)

Collaborative identity resolution protocol with 3 authorities.

resolution is justified. L collects supporting evidence in the evidence set Ei . Fig. 2 gives all steps of the protocol which are now discussed in detail. First, (1) L extracts Vi from Pi and gathers evidence Ei . L forwards Vi and Ei to J with a request for identity resolution. (2) J assesses Ei and either supports or declines identity resolution on basis of the provided evidence. If J supports J . J also resolution, it decrypts Vi with partial secret SKRA signs Ei to certify its approval for identity resolution. This is optional but can serve for audit purposes. (3) ViJ and σJ (Ei ) are returned to L. Note that as long as Vi has been decrypted by less than k − 1 RAs, no information about the plaintext is revealed. Next, (4) L forwards ViJ and the evidence signed by J to DP . DP verifies σJ (Ei ) with J’s well-known public key P KJ . If the signature is valid, DP can either trust J’s assessment of Ei or perform its own assessment of the evidence. (5) If DP decides to support identity resolution, it DP . (6) DP returns decrypts ViJ with its partial secret SKRA J,DP to L. Vi L to ViJ,DP Now, (7) L can apply its own secret share SKRA J,DP,L yielding Vi . The threshold k = 3 is reached, thus, J,DP,L equals the decrypted plaintext identifier id. Note, that Vi only L learns the linking information id because it applies its secret share last. (8) Based on id, L can contact the regional CA (CAh ) responsible for the long-term identity idV to request further information about vehicle V . CAh looks up idV in its database and returns information about V to L. If required, CAh can revoke V ’s long-term identity to prevent V from obtaining new V-tokens in an additional step. L has successfully linked pseudonym Pi to vehicle V and has sufficient information to hold V accountable. The protocol provides a straightforward approach for identity resolution with enforced distribution of resolution authority. It is also



extensible and flexible. For example, the order in which entities apply their secret share is irrelevant as long as the k-th entity is the one that should learn the plaintext. We used a simplified scenario with only three RAs to outline the protocol, but hierarchical secret sharing schemes exist [14] that can model multilevel hierarchies with different threshold values for different subtrees. Such a scheme can be instantiated to reflect the external and internal organizational structure of RAs and how secret shares are distributed and divided further. Another aspect to consider is the initial computation of the key pair (P KRA , SKRA ) and splitting of SKRA , which should not rely on a trusted party. Instead, a secure multiparty computation (MPC) protocol, such as in [15], should be used that allows participating RAs to jointly compute (P KRA , SKRA ) and individual secret shares, without revealing SKRA in the process. The setup of an MPC scheme for key initialization is out of scope of this work. V. A NALYSIS Our analysis focuses on the protocols’ ability to resist security and privacy attacks. We have identified two general categories of potential attacks. In a repudiation attack, V tries to cheat the issuance protocol in order to evade accountability. In a linking attack, other entities aim to link pseudonyms or V-tokens to V or each other. We assume that adversaries participating in the issuance or resolution protocol behaves semi-honest, i.e., adhere to defined protocol steps. Thus, denial of service attacks are excluded in the following. For linking attacks, we additionally assume that the adversary does not have access to V ’s sensitive key material. This also includes V-tokens signed by CAh . This assumption can be realized in practical systems by storing such data in a tamper-resistant hardware security module in the vehicle [1]. A. Repudiation Attacks Vehicle V could try to mount a repudiation attack with the aim of evading non-repudiation. Thus, the attack goal is to prevent that correct identity information is embedded in pseudonyms in the issuance protocol (see Fig. 1). In the authentication phase, V could try to include a wrong identifier in Vi in step (3). This is prevented by the commitment scheme [9], which ensures that CAh would detect a wrong identifier with exponentially large probability in step (9). At the same time, it is not possible for CAh to include a wrong identifier because V generates the V-token itself. In the acquisition phase, V could try to submit an arbitrary bitstring instead of a V-token to P P , or a real V-token extracted from a pseudonym of another vehicle. Both attacks would not be successful, because P P requires a valid signature by a CA, i.e., CAh , on a V-token to accept it. V-tokens that have already been embedded in a pseudonym do not carry a CA signature any more and would also be detected by querying the distributed clearinghouse in (13) (see Fig. 1). B. Linking Attacks In a linking attack, an adversary tries to link pseudonyms or V-tokens to their respective holder, i.e., vehicle V . Adversaries

in a linking attack can either be entities actively participating in the issuance or resolution protocols or external entities not involved in the protocols. Note, that linking attacks based on vehicle tracking are out of scope of this work. An external adversary may perform a linking attack in order to infer vehicle movement patterns, which afterwards could be combined with further external information that enables inference of the vehicle identity. By definition, pseudonym certificates contain no linkable information. Encoded public keys and certificate identifiers are generated randomly. Pseudonyms can also not be linked based on V-tokens embedded in them, due to the randomization factor r, which ensures that V-token ciphertexts are randomized and unlinkable. However, idP P could facilitate linking of pseudonyms if V successively uses pseudonyms issued by one P P , in a region where most vehicles use pseudonyms issued by another P P . As discussed before, this can be thwarted by obtaining pseudonyms from multiple providers or from the P P most dominant in a specific region. Thus, vehicle V can control the success likelihood of such a linking attack by its choice of P P for a given context. Potential linking attacks that involve protocol participants are discussed separately per protocol. 1) During pseudonym issuance: In the pseudonym issuance protocol, CAh , P P , or both could act as adversaries. We can analyze what information each party learns during protocol execution by defining their respective knowledge sets K(CAh ) and K(P P ). CAh knows idV because it maintains V ’s information. It learns the opened commitments, which however do not contain new information. The blind signature scheme in steps (4)-(11) prevents CAh from learning which V-tokens it signed. So at the end of the acquisition phase the knowledge set of CAh , with i ∈ I, is K(CAh ) = {idCAh , idV , req, id, exp, C1 , . . . , Cn , mi } . P P learns the presented V-token Vi and the pseudonym Pi it issues, but not idV : K(P P ) = {idP P , Vi , exp, idCAh , expPi , Pi } . Further, we define the identity set I(V ) = {idV } and the anonymity set A(V ) = {Vi , Pi } for vehicle V . An adversary can only link a pseudonym to V if it knows at least one item from I(V ) and one from A(V ) after protocol execution. Thus, to prevent linking the following condition must be fulfilled: K(X) ∩ I(V ) = ∅ ∨ K(X) ∩ A(V ) = ∅. This holds true for CAh and also for P P : K(CAh ) ∩ I(V ) = I(V ), K(CAh ) ∩ A(V ) = ∅ K(P P ) ∩ I(V ) = ∅, K(P P ) ∩ A(V ) = A(V ). Therefore, neither CAh nor P P can link Pi and idV on their own. We can further show that linking is not possible even if CAh and P P collude. Because authentication and acquisition phase are decoupled, a shared information set between CAh and P P would be required for linking: K(CAh ) ∩ K(P P ) = {idCAh , exp} .



Thus, CAh and P P could only encode linking information in idCAh and exp. Although CAh originally specifies idCAh and exp in the authentication phase, V can ultimately verify them in step (4). V can prevent CAh from issuing traceable V-tokens by requiring a fixed identifier idCAh and that exp adheres to a fixed expiration scheme, e.g., noon, midnight, or end of the week. Therefore, the pseudonym issuance protocol is robust against linking attacks by any of the involved parties. 2) During identity resolution: The identity resolution protocol is flexible in terms of definition and structure of secret sharing schemes and thresholds in order to be adjusted to organizational requirements. Participants of the secret sharing scheme should be selected in a way that reduces incentives for collusion, e.g., because of inherently divergent interests. We assume that participants have been chosen in a way that results in a negligible probability of a collusion of ≥ k parties, for decryption threshold k. Returning to our example from Sec. IV-B with authorities L, J, and DP and k = 3, it is apparent that no information about the content of V-token Vi is revealed until all parties applied their secret shares and the threshold is reached. By analyzing the knowledge sets after protocol execution of each party, we see that J and DP do not gain information about V through execution of the protocol: K(L) = {Pi , Vi , Ei , idV , info V } , K(J) = K(DP ) = {Vi , Ei } Thus, J and DP can participate in the protocol without learning id. Only L learns the content of Vi , but this is the aim of the protocol. The protocol cannot prevent L from sharing id with other parties after resolution. But this is an inherent problem of any protocol in which sensitive information needs to be revealed, e.g., credit card transactions. When L and CAh exchange information in steps (8) and (9) (see Fig. 2), Pi and Vi have already been linked to V , as is the purpose of the protocol. However, neither L nor CAh gain direct information about any other Pj or Vk (j, k = i) belonging to V . Therefore, perfect forward privacy [3] is achieved, i.e., the resolution of one pseudonym to an identity does not facilitate linking of other pseudonyms of that user. What is left to analyze is if it is feasible for an entity that knows idV and P KRA , e.g., L or CAh , to compute all possible V-tokens for vehicle V with an exhaustive search over r. The purpose would be tracking of a single vehicle V by linking the Pi and Vi to V . In the case that idV and P KRA are known to the adversary, the security of the V-token depends on the bitsize of the randomization factor r. By choosing r sufficiently large, such an attack is rendered infeasible. But larger r entail larger V-tokens and pseudonyms and, thus, a tradeoff between security and communication costs is required. Due to space limitations, we will provide an analysis of this attack and tradeoff in future work. VI. C ONCLUSION The outlined approach for conditional pseudonymity in vehicular networks does not require pseudonym-identity mappings to achieve accountability. Instead, resolution information

is embedded as encrypted unlinkable V-tokens in pseudonym certificates. As a result, the privacy of vehicles is enhanced in multiple ways. No authorities need to be trusted to protect privacy sensitive resolution information, identity resolution requires the cooperation of several authorities in order to be successful, and perfect forward privacy is provided. At the same time, authorities can still determine the identity of a pseudonym holder when necessary, but without the need to manage large amounts of critical information requiring secure storage and protection. With our V-token approach, each vehicle carries its own resolution information, thus, also providing a scalability advantage. We have also shown that the issuance and resolution protocols are resistant against repudiation and linking attacks. The security of V-tokens can be controlled but entails a tradeoff with communication costs. In future work, we will provide an extended analysis of this tradeoff. We are also currently evaluating with simulations how the additional overhead of embedded V-tokens in pseudonyms affects inter-vehicular communications in scenarios with varying traffic density. As a future extension, we also plan to include pseudonym revocation in our scheme. R EFERENCES [1] P. Papadimitratos, L. Buttyan, T. Holczer, E. Schoch, J. Freudiger, M. Raya, Z. Ma, F. Kargl, A. Kung, and J.-P. Hubaux, “Secure vehicular communication systems: Design and architecture,” IEEE Communications, Nov. 2008. [2] IEEE P1609.2 working group, “IEEE trial-use standard for wireless access in vehicular environments - security services for applications and management messages,” IEEE Std 1609.2-2006, 2006. [3] F. Schaub, Z. Ma, and F. Kargl, “Privacy requirements in vehicular communication systems,” in Intl. Symposium on Secure Computing (SecureCom09), IEEE PASSAT09, Vancouver, Canada, August 2009. [4] F. Armknecht, A. Festag, D. Westhoff, and K. Zeng, “Cross-layer privacy enhancement and non-repudiation in vehicular communication,” in 4th Workshop on Mobile Ad-Hoc Networks (WMAN07), March 2007. [5] L. A. Martucci, M. Kohlweiss, C. Andersson, and A. Panchenko, “Selfcertified sybil-free pseudonyms,” in Proc. 1st ACM Conf. on Wireless Network Security (WISEC 2008), USA, March 2008, pp. 154–159. [6] L. Fischer, A. Aijaz, C. Eckert, and D. Vogt, “Revocable anonymous authenticated inter-vehicle communication (SRAAC),” in Embedded Security in Cars (ESCAR 2006), Berlin, Germany, 2006. [7] D. Chaum, “Blind signature systems,” US Patent 4759063, July 1988. [8] D. Jena, S. K. Jena, and B. Majhi, “A novel untraceable blind signature based on elliptic curve discrete logarithm problem,” IJCSNS, vol. 7, no. 6, pp. 269–275, 2007. [9] I. Damgard, “Commitment schemes and zero-knowledge protocols,” LNCS, vol. 1561, pp. 63–86, 1999. [10] D. Goldschlag, M. Reed, and P. Syverson, “Onion routing for anonymous and private internet connections,” Comm. of the ACM, vol. 42, no. 2, pp. 39–41, 1999. [11] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Proc. on Advances in Cryptology. New York: Springer, 1990, pp. 319–327. [12] J. C. Benaloh, “Secret sharing homomorphisms: Keeping shares of a secret secret (extended abstract),” in CRYPTO ’86, ser. LNCS, vol. 263. Springer, August 1986, pp. 251–260. [13] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. on Inf. Theory, vol. 31, no. 4, pp. 469–472, 1985. [14] G. J. Simmons, “An introduction to shared secret and/or shared control schemes and their application,” in Contemporary Cryptology. IEEE Press, 1992, pp. 441–498. [15] R. Cramer, I. Damg˚ard, and J. B. Nielsen, “Multiparty computation from threshold homomorphic encryption,” in EUROCRYPT, ser. LNCS, vol. 2045. Springer, 2001, pp. 280–299.
